Debian Bug report logs -
#1025648
cacti: CVE-2022-46169: Unauthenticated Command Injection
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#1025648; Package src:cacti.
(Tue, 06 Dec 2022 20:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>.
(Tue, 06 Dec 2022 20:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cacti
Version: 1.2.22+ds1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for cacti.
CVE-2022-46169[0]:
| Cacti is an open source platform which provides a robust and
| extensible operational monitoring and fault management framework for
| users. In affected versions a command injection vulnerability allows
| an unauthenticated user to execute arbitrary code on a server running
| Cacti, if a specific data source was selected for any monitored
| device. The vulnerability resides in the `remote_agent.php` file. This
| file can be accessed without authentication. This function retrieves
| the IP address of the client via `get_client_addr` and resolves this
| IP address to the corresponding hostname via `gethostbyaddr`. After
| this, it is verified that an entry within the `poller` table exists,
| where the hostname corresponds to the resolved hostname. If such an
| entry was found, the function returns `true` and the client is
| authorized. This authorization can be bypassed due to the
| implementation of the `get_client_addr` function. The function is
| defined in the file `lib/functions.php` and checks serval `$_SERVER`
| variables to determine the IP address of the client. The variables
| beginning with `HTTP_` can be arbitrarily set by an attacker. Since
| there is a default entry in the `poller` table with the hostname of
| the server running Cacti, an attacker can bypass the authentication
| e.g. by providing the header `Forwarded-For: <TARGETIP>`. This
| way the function `get_client_addr` returns the IP address of the
| server running Cacti. The following call to `gethostbyaddr` will
| resolve this IP address to the hostname of the server, which will pass
| the `poller` hostname check because of the default entry. After the
| authorization of the `remote_agent.php` file is bypassed, an attacker
| can trigger different actions. One of these actions is called
| `polldata`. The called function `poll_for_data` retrieves a few
| request parameters and loads the corresponding `poller_item` entries
| from the database. If the `action` of a `poller_item` equals
| `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to
| execute a PHP script. The attacker-controlled parameter `$poller_id`
| is retrieved via the function `get_nfilter_request_var`, which allows
| arbitrary strings. This variable is later inserted into the string
| passed to `proc_open`, which leads to a command injection
| vulnerability. By e.g. providing the `poller_id=;id` the `id` command
| is executed. In order to reach the vulnerable call, the attacker must
| provide a `host_id` and `local_data_id`, where the `action` of the
| corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both
| of these ids (`host_id` and `local_data_id`) can easily be
| bruteforced. The only requirement is that a `poller_item` with an
| `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a
| productive instance because this action is added by some predefined
| templates like `Device - Uptime` or `Device - Polling Time`. This
| command injection vulnerability allows an unauthenticated user to
| execute arbitrary commands if a `poller_item` with the `action` type
| `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization
| bypass should be prevented by not allowing an attacker to make
| `get_client_addr` (file `lib/functions.php`) return an arbitrary IP
| address. This could be done by not honoring the `HTTP_...` `$_SERVER`
| variables. If these should be kept for compatibility reasons it should
| at least be prevented to fake the IP address of the server running
| Cacti. This vulnerability has been addressed in both the 1.2.x and
| 1.3.x release branches with `1.2.23` being the first release
| containing the patch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46169
https://www.cve.org/CVERecord?id=CVE-2022-46169
[1] https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Dec 7 07:19:04 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon